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Abstract 

This text answers a question raised by Joux and the second author about the computation 
of discrete logarithms in the multiplicative group of finite fields. Given a finite residue field 
K, one looks for a smoothness basis for K* that is left invariant by automorphisms of K. For 
a broad class of finite fields, we manage to construct models that allow such a smoothness 
basis. This work aims at accelerating discrete logarithm computations in such fields. We 
treat the cases of codimension one (the linear sieve) and codimension two (the function field 
sieve). 

To Gilles Lachaud, on the occasion of his 60th birthday 

1 Motivation 

We look for finite fields that admit Galois invariant smoothness basis. It is known that such 
basis accelerate the calculation of discrete logarithms. We first recall this observation by Joux 
and Lercier in section [2] and we give a first example of this situation in section [3] We recall 
in section |4] the rudiments of Kummer and Artin-Schreier theories. These theories produce the 
known examples of such smoothness basis. We then show in section [5] that the only extensions 
admitting Galois invariant flags of linear spaces are given by those two theories. In section [6l 
we consider a more general setting: specialization of isogenics between algebraic groups. We 
deduce a first non trivial example of Galois invariant smoothness basis in section |7J In the next 
section [8} we show that elliptic curves produce a range of such invariant basis, provided the 
degree of the field is not too large. 

In section[9l we recall the principles of fast sieving algorithms (the number field sieve and the 
function field sieve). We show in section[lO]that our approach can be adapted to these algorithms. 
A detailed example is given in section [TT] We finish with a few remarks and questions about the 
relevance of our method. 
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2 A remark by Joux and Lercier 



We recall in this section the principle of a simple algorithm for computing discrete logarithms 
in the multiplicative group of a finite field ¥ q where q = p d and d > 2. See for a survey on 
discrete logarithm computation. 

The finite field ¥ q is seen as a residue field F P [X]/ (A(X)) where A(X) E ¥ P [X] is a degree 
d unitary irreducible polynomial. We set x = X mod A(X). Let k be an integer such that 
< k < d — 1 and let V k C ¥ q be the F p -vector space generated by 1, x, ... , x k . So V = ¥ p C 
KiC.C V^-i = ¥ q and V k x V t C V k+l if k + I < d - I. 

One looks for multiplicative relations between elements of V K for some integer k. For exam- 
ple, if one takes k — 1, the relations we are looking for take the form 

Y[( ai + bix) ei = le¥ q (l) 

i 

where the a { and 6j lie in F p . We collect such relations until we obtain a basis of the Z-module 
of relations between elements in V K . 

How do we find relations like relation (OQ) ? Assume again k = 1. The simplest form of 
the sieving algorithm picks random triplets (a i? bi, e^) and computes the remainder r(X) of the 
Euclidean division of Yli( a i + biX) £i by A(X). So 

r(X) = Y[(cLi + biX) ei mod A{X) 

i 

where r(X) is a more or less random polynomial in F P [X] with degree < d — 1. 

We hope r(X) decomposes as a product of polynomials with degree smaller than or equal to 
k = 1 . If this is the case, we find r(X) = + b'jX)^ and we obtain a relation 

Hi^+b^Hi^+b^x)-^ = i 

i j 

of the expected form. One says that V K is the smoothness basis. 

Joux and Lercier notice in [|3]| that, if there exists an automorphism a of ¥ q such that a(x) = 
ux + v with u, v £ F p , then the action of o on equation (OQ) produces another equation of the 
same kind. Since the efficiency of discrete logarithm algorithms depends on the number of such 
equations one can produce in a given amount of time, one wishes to know when such useful 
automorphisms exist. We also wonder how to generalize this observation. 

We stress that o acts both on equations and factors of the form di + biX. Rather than increasing 
the number of equations, such an action may be used to lower the number of factors involved in 
them. If a is the n-th power of the Frobenius automorphism, we obtain for free 

a(a + bx) = (a + bx) pn = v + a + ubx 

So we can remove v+a+ubx out of the smoothness basis and replace it everywhere by (a+bx) p ™ . 
This way, we only keep one element in every orbit of the Galois group acting on V K . As a 
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consequence, the size of the linear system we must solve is divided by the order of the group 
generated by a. If a generates the full Galois group of ¥ q /¥ p , then the number of unknowns is 
divided by d, the degree of the finite field ¥ q . 

Our concern in this text is to find models for finite fields for which the automorphisms respect 
the special form of certain elements. For example, if the finite field is given as above, the elements 
are given as polynomials in x. Any element z of the finite field has a degree: This is the smallest 
integer k such that z e 14- The degree of a + a±x + ■ ■ ■ + a k x k is thus k provided < k < d 
and a k ^ (and by convention, deg = 0). The degree is sub-additive, deg(w x z) < deg(w) + 
deg(z). 

The question raised boils down to asking if this degree function is preserved by the automor- 
phisms of F q . It is worth noticing that the interest of the degree function in this context comes 
from the following properties. 

• The degree is sub-additive (and often even additive): The degree of the product of two non 
zero elements is the sum of the degrees of either elements provided this sum is < d. 

• The degree sorts nicely the elements of ¥ q : There are q n elements of degree < n if 1 < 

n < d. 

• There exists a factoring algorithm that decomposes some elements in ¥ q as products of 
elements with smaller degrees (e.g. with degree < k). The density of such K-smooth 
elements is not too small. 

In this article, we look for such degree functions on finite fields having the extra property that 
they are Galois invariant: Two conjugate elements have the same degree. 

3 A first example 

Here is an example provided by Joux and Lercier. Take p = 43 and d = 6, so q = 43 6 , and set 
A(X) = X 6 — 3 which is an irreducible polynomial in F 43 [X]. So ¥ q is seen as the residue field 

F 43 [X]/(X 6 -3). 

One checks that p = 43 is congruent to 1 modulo d = 6, so 4>(x) = x 43 = (x 6 ) 7 x x = 
3 7 x = ( 6 x where ^6 = 3 7 = 37 mod 43 is a primitive sixth root of unity. Since the Frobenius 4> 
generates the Galois group, one can divide by 6 the size of the smoothness basis. 

In the second example provided by Joux and Lercier (and coming from XTR of type T30) 
one takes p = 370801 and d = 30 with A(X) = X 30 — 17. This time, p is congruent to 1 modulo 
d = 30 and <p(x) = x p = x 30xl236 ° x x = ( 30 x where (so = 17 12360 mod p = 172960 mod p. 
As a consequence, one can divide by 30 the size of the smoothness basis. 

We are here in the context of Kummer theory. In the next section we recall the basics of 
this theory, that classifies cyclic extensions of ¥ p with degree d dividing p — 1. Artin-Schreier 
theory is the counterpart for cyclic p-extensions in characteristic p and we sketch it as well. Both 
theories are of very limited interest for our purpose. We shall need to consider the more general 
situation of an algebraic group with rational torsion. 



3 



4 Kummer and Artin-Schreier theories 



The purpose here is to classify cyclic extensions of degree d > 2 of a field K with characteristic 
p in two simple cases. 

• Kummer case: p is prime to d and K contains a primitive <i-th root of unity; 

• Artin-Schreier case: d = p. 

Kummer theory. We follow Bourbaki 03 A V.84]. According to Kummer theory, if p is prime 
to d and K contains a primitive <i-th root of unity, then every degree d cyclic extension of K is 
generated by a radical. 

Assume K is embedded in some algebraic closure K. To every a in K*/(K*) d (which we 
may regard as an element in K*), we associate the field L = K(a^) where a~i is any root of 
X d - a in K. 

The map x h- > x d is an epimorphism from the multiplicative group K* onto itself. The kernel 
of this epimorphism is the group of d-th roots of unity. The roots of X d — a lie in the inverse 
image of d by this epimorphism. 

The field K(a3) may not be isomorphic to K.[X]/(X d — a). It is when a has order d in the 
group K*/(K*) d . On the other hand, if a lies in (K*) d then K[X}/(X d - a) is the product of d 
copies of K. 

Let's come back to the case when a has order d in K*/ (K*) d . The degree d extension L/K 
is Galois since, if we set b = ai, we have 

X d - a = (X - b)(X - b( d )(X - bC) ... (X - bCt 1 ) 

where Q is a primitive d-th root of unity. The Galois group of L/K is made of transformations 
n : x t— > xQ and the map n i— > a n is an isomorphism from the group Z/c?Z onto Gal(L/K). 

To avoid distinguishing too many cases, one follows Bourbaki 03 A V.84]. Rather than a 
single element in K*/(K*) d one picks a subgroup H of K* containing (K*) d and one forms the 
extension K(ifd) by adding to K all <i-th roots of all elements in H. To every automorphism a 
in Gal(K(if d)/K), one associates an homomorphism ip(<x) from H/ (K*) d to the group ^(K) 
of d-th roots of unity. The homomorphism ^(o) is defined by 

where is one of the d-th roots of 6 1 . The map a i— > ^( a ) 1S an isomorphism from the 
Gal(K(ff d)/K) onto Hom(iJ/ (K*) d , ^(K)). This presentation of Kummer theory constructs 
abelian extensions of K with exponent dividing d. 

In the case we are interested in, the field K = ¥ q is finite. Any subgroup H of K* is cyclic. 
In order to have fi d in K, one assumes that d divides q — 1. We set q — 1 = md. The group (K*) d 
has order m. The quotient K*/(K*) d is cyclic of order d. It is natural to take H = K*. We find 
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the unique degree d cyclic extension L of K. It is generated by a d-th root of a generator a of 

Set b = a~d and L = K(6). The Galois group Gal(L/K) is generated by the Frobenius <p and 
the action of on b is given by 4>(b) = b q , so 

b 

is a d-th root of unity that depends on a. The map a i— > £ is an isomorphism of K*/(K*) d onto 
jttd(K) which is nothing but exponentiation by m. 

The limitations of this construction are clear: It requires primitive d-th roots of unity in K. 
Otherwise, one may jump to some auxiliary extension K' = K(^) of K, that may be quite 
large. One applies Kummer theory to this bigger extension and one obtains a degree d cyclic 
extension L'/K'. Descent can be performed using resolvants (see f6l Chapter III.4]) at a serious 
computational expense. We shall not follow this track. 



Example. Coming back to the first example one finds q = p = 43, p — 1 = 42, d = 6, 

m = 7, a = 3 and 4>{b)/b = a m = 3 7 mod 43. 



Artin-Schreier theory. We follow Bourbaki [1 , A V.88]. If p is the characteristic of K, then 
any cyclic degree p extension of K is generated by the roots of a polynomial of the form 

X p - X - a = p{X) - a = 

where a E K and the expression p(X) = X p — X plays a similar role to X d in Kummer theory. 
The map x i— > p[x) defines an epimorphism from the additive group K onto itself. The kernel 
of this epimorphism is the additive group of the prime field F p C K. 

Let a be an element of K/p(K) (that we may see as an element of K in this class). One 
associates to it the extension field L = K(fe) where b E p~ 1 (a). If a has orderpin K/p(K),the 
extension L/K has degree p and is Galois since we have 

X p - X - a = (X - b)(X - b - 1)(X - b - 2) . . . (X - b - (p - 1)). 

The Galois group is made of transformations of the form a n : x t— > x + n and the map n i— > a n is 
an isomorphism from the group Z/pZ onto Gal(L/K). 

Again, if one wishes to construct all abelian extensions of K with exponent p one follows 
Bourbaki [1, A V.88]. One takes a subgroup H of (K, +) containing jp(K) and one forms the 
extension K.(p~ 1 (H)). To every automorphism a in Gal(K(p~ 1 (if))/K), one associates an 
homomorphism if)(<x) from H/p(K) onto the additive group ¥ p of the prime field. The homo- 
morphism ^(o) is defined by 

■0(a) : 9 t— > a(c) — c 

where c belongs to p~ l {6), the fiber of p above 0. 

The map o i— > ^(o) is an isomorphism from the Galois group Gal(K(jp -1 (if ))/K) onto 
Hom(^/p(K),F p ). 
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In our case, the field K = ¥ q is finite of characteristic p. We set q = pf. The morphism 
p : ¥ q — > F g has kernel ¥ p and the quotient ¥ q / p(¥ q ) has order p. The unique degree p extension 
L of F g is generated by b E fp _1 (a) where a £ ¥ q — p(¥ q ). The Galois group Gal(L/K) 
is generated by the Frobenius <p and <p(b) — b belongs to ¥ p . The map a i— > </>(&) — b is an 
isomorphism from K/p(K) onto ¥ p . 

Let us make this isomorphism more explicit. We have (p(b) = b g where q = p? is the order 
of K = ¥ q . One computes 

0(6) -b = b q -b = (Wf 1 ' 1 -b=(b + a) p/_1 - 6 since p{b) = b p -b = a. 

So IP —b = b pt 1 — b + a pl 1 . Iterating, we obtain 

<f)(b) -b = b pf -b = a + a p + a p2 + ■■■ + a p/ ~\ 

The isomorphism from K./p(K) onto the additive group ¥ p is nothing but the absolute trace. 

Example. Take p = 7 and / = 1, so q — 7. The absolute trace of 1 is 1, so we set K = F 7 

and A(X) = X 7 - X - 1 and we set L = F 7 ? = ¥ 7 [X]/(A(X)). Setting x = X mod A(X), 
one has 0(x) = x + 1, 

5 Invariant linear spaces of a cyclic extension 

Let us recall that the question raised in section [2] concerns the existence of automorphisms that 
stabilize a given smoothness basis. We saw that smoothness basis are usually made using flags of 
linear spaces. Therefore, one wonders if, for a given cyclic extension L/K, there exists K-vector 
subspaces of L that are left invariant by the Galois group of L/K. 

Let d > 2 be an integer and L = K[X]/(X d — r) a Kummer extension. For any integer k 
between and d — 1, let = K © Ki © ■ • • © Ka^ be the K-vector subspace generated by the 
k + 1 first powers of x = X mod X d — r. The Lk are invariant under Galois action since for a, 
a K-automorphism of L, there exists a d-th root of unity ( G K such that 



and a(x h ) = ( h x k . One has a flag of K-vector spaces, V Q = K C V 1 C ■ • • C V d _i = L, 
respected by Galois action. So the "degree" function is invariant under this action. This is exactly 
what happens in the two examples of section [2l If the smoothness basis is made of irreducible 
polynomials of degree < k, then it is acted on by the Galois group. 

If now L = K[X]/ (X p — X — a) is an Artin-Schreier extension, for every integer k between 
and p — 1, we call V k = K © Ki © • • ■ © Kx fc the K-vector space generated by the k + 1 first 
powers of x = X mod X p — X — a. The V k are globally invariant under Galois action. Indeed, 
if o is a K-automorphism of L, then there is a n e ¥ p such that a(x) = x + n, so 



a(x) = (x 




o<e<k 
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We find again a flag of K-vector spaces, Vo = K C V\ C • • • C V v ^\ = L, that is fixed 
by Galois action. This time, the Galois action is no longer diagonal but triangular. For cyclic 
extensions of degree a power of p, Witt-Artin-Schreier theory also produces a flag of Galois 
invariant vector spaces. See the beginning of Lara Thomas's thesis flU for an introduction with 
references. 

One may wonder if Galois invariant flags of vector spaces exist for other cyclic field exten- 
sions. Assume L/K is a degree d cyclic extension where d is prime to the characteristic p. Let 
be a generator of the Galois group C =< 4> >— Gal(L/K). According to the normal basis 
theorem [4, Theorem 13.1.], there exists atyinL such that 

(w,<f)(w),(f) 2 (w),...,(f> d - 1 (w)) 

is a K-basis of L. Therefore L, as a K[C] -module, is isomorphic to the regular representation. 
The order d of C being prime to the characteristic, the ring K[C] is semi-simple according to 
Maschke theorem [@] Theorem 1.2.]. The characteristic polynomial of <p acting on the K-vector 
space L is X d — 1. This is a separable polynomial in K[X]. 

To every K-irreducible factor f(X) E K[X] of X n — 1, there corresponds a unique irre- 
ducible characteristic subspace Vf C L, invariant by <\>. The characteristic polynomial of 
restricted to Vf is /. According to Schur's lemma [4, Proposition 1.1.], any K[C]-submodule of 
L is a direct sum of some Vf. 

Assume there exists a complete flag of K-vector spaces, each invariant by (j), V = K C V\ C 
■ • ■ C Vd-i = L, where Vk has dimension k. Then all irreducible factors of X d — 1 must have 
degree 1. So K contains primitive roots of unity and we are in the context of Kummer theory. To 
every Galois invariant flag, there corresponds an order on d-th roots of unity (or equivalently on 
the associated characteristic spaces in L). There are d\ such flags. 

The flags produced by Kummer theory are of the following form: 

V x C Vi © V c c Vi © V ( © V C 2 c . . . 

C Vx © V c © V C 2 © • • • © V C d- 2 c Vi © V ( © V C 2 © • • • © V C d-2 © V c a-i 

where ( is a primitive d-th root of unity and V^ is Vx-(, the eigenspace associated to (. 

Among the d\ flags that are ^-invariants, only ip(d) come from Kummer theory. They corre- 
spond to the ip(d) primitive roots of unity. These flags enjoy a multiplicative property: If k > 
and / > and k + l <d—l, then V k x VJ C V k+i . 

The conclusion of this section is thus rather negative. If we want to go further than Kummer 
theory, we cannot ask for Galois invariant flags of vector subspaces. 

6 Specializing isogenics between commutative algebraic groups 

Kummer and Artin-Schreier theories are two special cases of a general situation that we now 
describe. Our aim is to produce nice models for a broader variety of finite fields. 
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Let K be a field and G a commutative algebraic group over K. Let T C G(K) be a non 
trivial finite group of K-rational points in G and let 

/ : G -> H 

be the quotient isogeny of G by T. Let d > 2 be the cardinality of T which is also the degree of 
/. Assume there exists a K-rational point a on H such that / _1 (a) is irreducible over K. Then 
every point b e G(K) such that 1(b) = a defines a cyclic degree d extension L of K: We set 
L = K(6) and we notice that the geometric origin of this extension results in a nice description 
of K-automorphisms of L. 

Let t be a point in T and let © G stand for the addition law in the algebraic group G. Let ©h 
stand for the addition law in H. We denote by G the unit element in G and Oh the one in H. 
The point tQ) G b verifies 

I(m G b) = I(t)® H I(b) = H ® H a = a. 

So W G b is Galois conjugated to b and all conjugates are obtained that way from all points t 
in T. So we have an isomorphism between T and Gal(L/K), which associates to every t E T 
the residual automorphism 

b e J _1 (a) h-> b® G t. 

Now, assuming the geometric formulae that describe the translation P i— > P® G t in G are 
simple enough, we obtain a nice description of the Galois group of L over K. 

Kummer and Artin-Schreier theories provide two illustrations of this general geometric situ- 
ation. 

The algebraic group underlying Kummer theory is the multiplicative group G m over the base 
field K. The isogeny I is the multiplication by d: 

I — [d] : G m — > G m . 

One can see the group G m as a sub-variety of the affine line A 1 with ^-coordinate. The 
inequality z ^ defines the open subset G C A 1 . The origin G has coordinate z(0g) = L The 
group law is given by 

z{Pl® Gm P2) = z(Pl) X Z(P 2 ). 

Here we have H = G = G m and the isogeny I can be given in terms of the ^-coordinates by 

z(I(P)) = z(P) d . 

Points in the kernel of / have for ^-coordinates the d-th. roots of unity. The inverse image 
by / of a point P in G is made of d geometric points having for ^-coordinates the d-th. roots of 
z(P). Translation by an element t of the kernel of /, P t— > P® Gm t, can be expressed in terms of 
^-coordinates by 

z{P® Gm t) = z(P) x C 
where ( = z(t) is the <i-th root of unity associated by z to the d-torsion point t. 
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As far as Artin-Schreier theory is concerned, the underlying algebraic group is the additive 
group G a over the base field K, identified with the affine line A 1 over K. A point P on G a is 
given by its ^-coordinate. The origin Og has coordinate z(0q) = and the group law is given by 

z(p 1 e Ga p 2 ) = z(p 1 ) + z(p 2 ). 

The degree p isogeny I is p : G a — ► G a , given in terms of ^-coordinates by 

z{p{p)) = z{py-z{P). 

Here again H = G. The ^-coordinates of points in the kernel of p are the elements of the 
prime field ¥ p . The inverse image by I of a point P in G is made of p geometric points whose 
^-coordinates are the p roots of the equation X p — X = z(P). Translation by an element t in the 
kernel of /, P t— > P®o a t, can be expressed in terms of ^-coordinates by 

z(P® Ga t) = z(P) + r where r = z{t) e ¥ p . 



7 A different example 

We plan to apply the generalities in the previous section to various algebraic groups. We guess 
every commutative algebraic group may bring its contribution to the construction of Galois in- 
variant smoothness basis. Since we look for simple translation formulae, we expect the simplest 
algebraic groups to be the most useful. We start with the most familiar algebraic groups (after 
G m and G a ): These are the dimension 1 tori. Let K be a field with characteristic different from 
2 and let Dbea non zero element in K. Let P 1 be the projective line with projective coordinates 
[U, V]. Let u = y be the associated affine coordinate. We denote by G the open subset of P 1 
defined by the inequality 

U 2 - DV 2 ^ 0. 

To every point P of G, we associate its w-coordinate, possibly infinite but distinct from 
\[T) and —\f~D. The unit element in G is the point Og with projective coordinates [1, 0] and 
^-coordinate oo. For Pi ^ Og and P 2 7^ Og, the addition law is given by 

We now assume that K = ¥ q is a finite field and D E F* is not a square in ¥ q . The group 
G(Fg) has order q + 1 and the corresponding values of u lie in ¥ q U {oo}. The Frobenius 
endomorphism, : G — > G, [U, V] — > [U q , V q ], is nothing but multiplication by —q. Indeed, let 
P be a point with projective coordinates [U, V]. The projective coordinates of R = [q]P are the 
coordinates in (1, \^D) of 

(U + VVD) q = U q - \ r DV q 
because D is not a square in ¥ q . So R has coordinates [U q , —V q ] and it is the inverse of 4>{P). 
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We pick an integer d > 2 such that the d-torsion G[d] is Fq-rational. This is equivalent 
to the condition that d divides q + 1. We set q + 1 = md. Let I be the multiplication by 
d isogeny, I — [d] : G — > G, with kernel the cyclic group G[d] of order d. The quotient 
G{¥ q )/I(G{¥ q )) = G(¥ q )/G(¥ q ) d is cyclic of order d. 

Let a be a generator of G(F 9 ) and b a geometric point in the fiber of I above a. Let u(b) be 
the M-coordinate of b and set L = K.(u(b)). This is a degree d extension of K = F 9 . So L = F g d. 

The Galois group of F ? d/F 9 is isomorphic to G[d\: For any a G Gal(F 9 d/F y ), the difference 
&(b) 0g & is in G[d] and the pairing 

(a, a) i-> a(6) 9g & 

defines an isomorphism of G&\(F qd /F q ) onto Hom(G(F 9 )/(G(Fg)) d , G[d]). 

Here Gal(F g d /¥ q ) is cyclic of order d generated by the Frobenius 0. The pairing (0, a) equals 
0(6) G 6. Remember that 0(6) = [-g]6 in G. So 

((f>,a) = [-q-l]b=[-m]a. (2) 

We obtain an exact description of Galois action on / _1 (a). It is given by translations of the 
form P i— > P®Gt with i e G[d]. If we denote by r the affine coordinate of t and by u the 
coordinate of P then the action is given by 

TU + D 

u I— > , 

u + r 

which is rather nice since it is a rational linear transform. 
We form the polynomial 

A(X)= J] (X-u(b)) 

be i- 1 (a) 

annihilating the ^-coordinates of points in the inverse image of a by /. This is a degree d poly- 
nomial with coefficients in K = ¥ q . It is irreducible in FJX] because a generates G(F 9 ). We 
have L = K[X]/(A(X)) = ¥ q d. 

The exponentiation formulae in G give the explicit form of A(X). One has 

(U + VDV) d = ( 2 d k )U d - 2k V 2k D k + VD {2k+i)U d - 2k - 1 V 2k+1 D k . 

0<2k<d \<2k+l<d 

So, 

/rjinN Z-^0<2k<d a \ r ) \2kl LJ 



And 

A(X)= X d ^ k { d k )D k -u{a) Xd ~ 2k ~ 1 (2A1) D k 



Q<2k<d K2k+Kd 
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We set x = X mod A(X). Since every F g -automorphism of ¥ q d transforms x into a linear 
rational fraction of x, it is natural to define for every integer k such that k > and k < d the 
subset 

t t Uq + U^ + ^X 2 + ---+U k X k T ^2fc+2 1 

V k = { ; ; J- ; r \ («o, u u ...,u k , v , v u . . . , v k ) G K r } . 

W + UlX + v 2 x z + h v k x K 

One has ¥ q — Vq C V\ C • - • C V^-i = F g d and the are Galois invariant. Further, it is 
clear that V k x C V^+j provided + / < d — 1. Again we find a flag of Galois invariant subsets 
of L = ¥ q d. But these subsets are no longer vector spaces. 

If we define the degree of an element of L to be the smallest integer k such that V k contains 
this element, then the degree is Galois invariant and sub-additive, deg(w z) < deg(w) + deg(z). 
The degree this times takes values between and [^p] . It is a slightly less informative function 
than in the Kummer or Artin-Schreier cases (it takes twice less values). 



Example. Take p = q = 13 and d = 7. So m = 2. Let D = 2 which is not a square in F i3 . 
We look for some a = U+ \p2V such that U 2 -2V 2 = 1 and a has order p+ 1 = 14 in ¥ 13 (y/2)*. 
For example U = 3 and V = 2 are fine. The w-coordinate of 3 + 2y/2 is u(a) = | = 8. One can 
write the polynomial 

A(X) = X 7 + 3X 5 + 10X 3 + AX- 8(7X 6 + 5X 4 + QX 2 + 8). 

Formula © predicts the Frobenius action. We set t = [—m]a = [— 2)a so u(t) = 4 and Frobenius 
operates by translation by t, so X p = j^r^ mod A(X). 

So we have made a small progress: We can now treat extensions of ¥ q of degree dividing 
q + 1. Unfortunately this condition is just as restrictive (though different) as the one imposed by 
Kummer theory. What do we do if the degree does not divide q + 1 nor q — 11 

We must diversify the algebraic groups we use. The next family to consider is made of elliptic 
curves. 



8 Residue fields of divisors on elliptic curves 

We now specialize the computations in section [6] to the case where G is an elliptic curve. Take 
K = ¥ q a finite field for which we want to construct a degree d > 2 extension where d is prime to 
the characteristic p of ¥ q . Here G = E is an ordinary elliptic curve over ¥ q . We denote by cf> the 
Frobenius endomorphism of E. Let i be an invertible ideal in the endomorphism ring End(_E) of 
E. Assume i divides 0—1 and End(£')/t is cyclic of order d > 2. So E(¥ q ) contains a cyclic 
subgroup T = Ker i of order d. 

Let / : E — » F be the degree d cyclic isogeny with kernel T. The quotient F(¥ q ) / I(E(¥ q )) 
is isomorphic to T. Take a in F(¥ q ) such that a mod I(E(¥ q )) generates this quotient. The fiber 
J _1 (a) is an irreducible divisor. This means that the d geometric points above a are defined on 
a degree d extension L of K and permuted by Galois action. We denote by B = I~ l (a) the 
corresponding prime divisor. 
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Since L is the residue extension of E at B, we can represent elements of L in the following 
way: If / is a function on E with polar divisor disjoint to B, we denote by / mod B e L the 
residue of / at B. 

For / a function in ¥ q (E), the degree of / is the number of poles of / counted with multi- 
plicities. For every k > we call T k the set of degree < k functions in ¥ q (E), having no pole at 
B. We denote by V k the corresponding set of residues in L, 

V k = {f mod B\feF k }. 

We have V r = Vi = KcV r 2 C---cV (1 = L (Riemann-Roch) and V k x V x C V k+l . It is 
clear also that T k is Galois invariant since composition by a translation from T does not affect 
the degree of a function. Therefore V k is invariant under the action of Gal(L/K). 

If we want to test whether an element z of L is in V k , we look for a function / in T k such that 
f = z (mod B). This is an interpolation problem which is hardly more difficult than in the two 
previous cases (polynomials for Kummer and rational fractions for the torus). We look for / as 
a quotient of two homogeneous forms of degree f^p] , which can be done with linear algebra. 

One can choose a smoothness basis consisting of all elements / mod B in V K for a given k. 
Factoring an element z — f mod B of L boils down to factoring the divisor of / as a sum of 
prime divisors of degree < k. 

What conditions are sufficient for an elliptic curve to exist with all the required properties ? 
Since the number of F^-rational points on the elliptic curve is divisible by d, the size q of the 
field cannot be too small, that is 

q + 2^/q + 1 > d. 

Assume d is odd and there exists a squarefree multiple D of d such that D ^ 1 mod p and 

q + 1- 2^/q~ < D < q + 1 + 2y/q. 

There exists an ordinary elliptic curve E over ¥ q having D rational points over ¥ q and trace 
t = q + 1 — D. The ring Z[0] is integrally closed locally at every odd prime dividing D. The 
larger ring End(E') has the same property. The ideal (0 — 1) of End(E) has a unique degree d 
factor i. The quotient End(_E)/i is cyclic and i is invertible in End(E'). 

Given q and (a quadratic integer) as above, one can find an elliptic curve E/¥ q by exhaus- 
tive search or using complex multiplication theory. 

Example. Let p = q = 11, and d = D = 7,sot = 5 and 2 — 50 + 11 = 0. The elliptic 
curve E with equation y 2 + xy = x 3 + 2x + 8 has complex multiplication by Z[ v/ ~^ +1 ]. The 
discriminant of Z[0] is —19, so End(E') = Z[0]. The ideal i = (0— 1) is invertible and its kernel 
T is the full group of F g -rational points on E. The kernel of the degree 7 isogeny I : E — > F 
is the group of rational points on E and for any non zero a £ F(Fn), the fiber B = I~ l (a) is 
irreducible. 
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9 Sieving algorithms and surfaces 



There exists a family of algorithms for factoring integers and computing discrete logarithms that 
rely on intersection theory on algebraic or arithmetic surfaces. These algorithms are known as 
the number field sieve, the function field sieve, etc. The core of these algorithms is illustrated 
on the front page of the book [5J. In this section, we present the ideas underlying this family of 
algorithms in a rather general setting. This will help us to describe our construction in the next 
section [TOl The sieving algorithm invented by Joux and Lercier in [0 for computing discrete 
logarithms will serve as a nice illustration for these ideas. 

Let F p be the field with p elements where p is prime. Let S be a smooth projective reduced, 
absolutely irreducible surface over ¥ p . Let A and B be two absolutely irreducible curves on S. 
Let X be an irreducible sub-variety of the intersection An B. We assume that A and B meet 
transversely at X and we denote by d the degree of X. The residue field of X is F P (X) = ¥ q with 
q = p d . 

We need a pencil (linear or at least algebraic and connected) of effective divisors on S. We 
denote it by (D x )\eA where A is the parameter space. 

We fix an integer k and we look (at random) for divisors D\ in the pencil, such that both 
intersection divisors D PI A and D PI B are disjoint to X and ^-smooth (they split as sums of 
effective F 9 -divisors of degree < n). 

We define an equivalence relation =j on the set of divisors on S not meeting X: We say D =x 
if and only if D is the divisor of a function / and / is constant modulo X. The equivalence 
classes for this relation are parameterized by points in some algebraic group denoted Pic(iS,X). 
This algebraic group is an extension of Pic(«S) by a torus Tj of dimension d — 1. 

One similarly defines the algebraic groups Pic(^4,X) and Pic(i3,X). These are generalized 
jacobians of A and B respectively. The natural (restriction) morphisms Pic(«S,X) — > Pic(^4,X) 
and Pic(iS, X) — > Pic(£>, X) induce the identity on the torus Tj. 

Let N be an integer that kills the three groups Pic°(S)(F p ), Pic°(.4)(F p ), and Pic°(B)(F p ). 
Let A and fj, be two parameters in A corresponding to the divisors D\ and in our pencil. We 
assume that D\ D A, D^D A, D\ n B, and fl B are smooth and disjoint to X. 

Let D\ fl A = Yl a i> Dp H A = Yl D j> D\ n B = J2 c k an d Dfj, fl B = J2 ^ i be decompositions 
as sums of effective divisors on A and B with degree < k. The divisor D\ — is algebraically 
equivalent to zero and N(D\ — D^) is principal. 

Let / be a function on S with divisor N(D X — D^). We fix a smooth divisor X on A 
(resp. Y on B) with degree 1. For every i and j, let a* and f3j be functions on A with divisors 
N(a.i — deg(cii)X) and N(bj — deg(bj)X). Similarly, for every k and I, let 7^ and 5i be functions 
on B with divisors N(tk — deg(c^)y) and N(di — deg(0;)y). There exist two multiplicative 
constant c and c' in F* such that 

f = c.f±— = tr.^rr mod X. 

This congruence can be regarded as a relation in the group 2x(F p ) = F*/F*. The factors 
in the first fraction belong to the smoothness basis on the A side: They are residues modulo X 
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of functions on A with degree < k. Similarly, the factors in the second fraction belong to the 
smoothness basis on the B side: They are residue modulo X of functions on B with degree < k. 

Joux and Lercier take S/¥ p to be S = P 1 x P 1 the product of P 1 with itself over ¥ p . To avoid 
any confusion we call C\ = P 1 /F p the first factor and C 2 = P 1 /F p the second factor. Let 0\ be a 
rational point on C\ and IA\ — C\ — 0\. Let x be an affine coordinate on IA\ ~ A 1 . We similarly 
choose 2 , U 2 and y an affine coordinate on U 2 . 

They choose A to be the Zariski closure in S of the curve in IA\ x U 2 with equation y = f(x) 
where / is a polynomial with degree df in ¥ p [x]. As for B, they choose the Zariski closure in S 
of the curve with equation x = g(y) where g is a polynomial with degree d g in ¥ p [y}. 

The Neron-Severi group of a product of two smooth algebraically irreducible projective 
curves is Z times Z times the group of homomorphisms between the jacobians of the two curves. 
See BH Mumford's appendix to Chapter VI]. The Hurwitz formula for the intersection of two 
classes is also given in this appendix. 

Here the Neron-Severi group of S is Z x Z. The algebraic equivalence class of a divisor D is 
given as its bidegree (d x (D) , d y (D)) where d x (D) = D.(d x 2 ) and d y (D) = D.(0 1 x C 2 ). 
The intersection form is given by the formula 

D.E = d x {E)d y {D) + d x {D)d y {E). 

The bidegree of A is (df, 1) and the bidegree of B is (1, d g ). So A.B = 1 + dfd g and the 
intersection of A and B is made of the point 0\ x 2 and the dfd g points of the form (a, f(a)) 
where a is one of the dfd g roots of g(f(x)) — x. 

Let h(x) be a simple irreducible factor of the later polynomial and let d be its degree. We 
take X to be the zero dimensional and degree d corresponding variety. The residue field F P (X) is 
finite of order q where q = p d . 

To finish with, we need a pencil of effective divisors (D x )\eA on S. It is standard to take for 
A the set of polynomials A in ¥ p [x, y] with given bidegree (u x , u y ) where u x and u y are chosen 
according to p and q. The corresponding divisor D\ to A is the Zariski closure of the zero set of 
A. It has bidegree (u x , u y ) too. 

We fix an integer k and look for divisors D\ such that the two intersection divisors D x H A 
and D\ n B are disjoint to X and ^-smooth. For example, if X(x, y) is a polynomial in x and y, 
the intersection of D\ and A has degree dfU y + u x . Its affine part is given by the roots of the 
polynomial A(x, f(x)) = 0. Similarly, the intersection of D x and B has degree u y + u x d g . Its 
affine part is given by the roots of the polynomial X(g(y),y)) = 0. Joux and Lercier explain how 
to choose u x , u y and k according to p and d. 

10 Finite residue fields on elliptic squares 

In this section we try to conciliate the generic construction in section [9] and the ideas developed 
in section [8] We would like the automorphisms of F p (X) to be induced by automorphisms of the 
surface S. So let E be an ordinary elliptic curve over ¥ p and let i be an invertible ideal in the 
endomorphism ring End(E'). We assume that i divides 0—1 and End(_E)/i is cyclic of order 
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d > 2. So E(¥ q ) contains a cyclic subgroup T = Ker i of order d. Let / : E — > F be the quotient 
by Ker i isogeny and let J : F — > E be such that — 1 = J o I. 

We take for S the product E x E and to avoid any confusion, we call E\ the first factor and 
E 2 the second factor. Let 0\ be the origin on E\ and 2 the origin on E 2 . 

We use again the description of the Neron-Severi group of a product of two curves as given 
in |[9l Appendix to Chapter VI]. This time, the Neron-Severi group of S is Z x Z x End(P). The 
class (g?i, d 2) °f a divisor P consists of the bidegree and the induced isogeny. More precisely, 
di is the intersection degree of D and Ei x 2 , <i 2 is the intersection degree of D and Oi x E 2 , 
and £ is the homomorphism from Pi to E 2 induced by the correspondence associated with D. 

Let a and (3 be two endomorphisms of E and let a and 6 be two ¥ p -rational points on E. We 
take A to be the inverse image of a by the morphism from E x E to E that maps (P, Q) on t° 
a;(P) — Q. Let i3 be the inverse image of b by the morphism from E x E onto E that sends 
(P, Q) onto P- /3(g). 

Assume 1 — (3a = 0—1. The intersection of A and £> consists of points (P, Q) such that 
(0 - 1)(P) = b - (3(a) and Q = a(P) - a. 

We choose a and 6 such that there exists a point c in P(F p ) generating F(¥ p ) / I(E(¥ p )) and 
satisfying J(c) = b — (3(a). Then the intersection between A and £> contains an irreducible 
component X of degree d. 

The class of A is (ao, 1, a). Indeed, the first coordinate of this triple is the degree of the 
projection A — > E 2 onto the second component, that is the number of solutions in P to oi(P) = 
Q + a for generic Q. This is the degree 01a. of a. The second coordinate of this triple is the 
degree of the projection A — > E\ onto the first component, that is the number of solutions in Q 
to Q = a(P) — a for generic P. This is 1. The third coordinate is the morphism in Horn^x, E 2 ) 
induced by the correspondence A. This is clearly a. In the same way, we prove that the class of 
Bis (1,0 J). 

Now let D be a divisor on S and (d x , d 2 , £) its class in the Neron-Severi group. The intersec- 
tion degree of D and A is thus 

D.A — d\ + d 2 aa — £a — £a (3) 

and similarly 

D.B = dtPfi + d 2 - £P - 1(3. (4) 

We are particularly interested in the case where a and (3 have norms of essentially the same 
size (that is the square root of the norm of — 2). We then obtain a similar behavior as the 
algorithm in section |9] with an extra advantage: The smoothness bases on both A and B are 
Galois invariant. 

Indeed, let fa be a function with degree < k on A. A point on A is a couple (P, Q) with 
Q = a(P) — a. So the projection on the first component IL; : E\ x E 2 — > E\ is an isomorphism. 
There is a unique function fx on E\ such that fa = fx o Tlx- Assume now that (P, Q) is in 
X C A. Then f a (P, Q) = fi(P) is an element of the smoothness basis on A. We observe that 
f x (P)p = /x(0(P)) = fx(P + t) where t is in the kernel T of i. So fx(P) p is the value at P of 
fx o r t where r t : Pi — > Pi is the translation by t. Since /j o r t and fx have the same degree, the 
value of fx o 77 at P is again an element in the smoothness basis. 
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That way, one can divide by d the size of either smoothness basis on A and B. 

As in section|9]we need a pencil of divisors on S with small class in the Neron-Severi group. 
We choose small values for (d x , d 2 , £) that minimize the expressions in Eq. © and Eq. © under 
the three contraints d% > 1, d 2 > 1 and 

did 2 >£+l. (5) 

We look for effective divisors in the algebraic equivalence class c = (d x , d 2 , £). Recall 0\ is 
the origin on E x and 2 the origin on E 2 . Thegraph£ = {(P,Q)\Q_= -f(P)}of-f : E x ^ E 2 
is a divisor in the class (f f , 1, -£)• The divisor ft = -£? + (d x + x E i + ( rf 2 + x 2 
is in c. We compute the linear space 

C(-G + (d x + x E 2 + {d 2 + l)E x x o 2 ) 
using the (restriction) exact sequence 

-> + (rfx + x £ 2 + (tfe + 1)^! x 2 ) 

-> £ £l ((di + ft)Oi) ® £ S2 ((d 2 + 1)0 2 ) -> £ 6 (A) 

where A is the divisor on Q given by the intersection with 

(di + eOOi x E 2 + (d 2 + 1)^! x 2 . 

This divisor has degree di + + (d 2 + 1)^, so the dimension of the right hand term in the 
sequence above is equal to this number. 

On the other hand, the middle term has dimension (d\ + ££) (d 2 + 1 ) , that is strictly bigger than 
the dimension of the right hand term, because of Inequality ©. So the linear space on the left is 
non zero and the divisor class is effective. Inequality © is a sufficient condition for effectivity. 

In practice, one computes a basis for £ Bl ((di + andabasisfor £ Sa ((d 2 + 1)0 2 ) and 

one multiplies the two basis (one takes all products of one element in the first basis with one 
element in the second basis.) This produces a basis for £ El ((di + <8> C,E 2 {{d 2 + 1)0 2 ). 

One selects enough (more than d x + + (d 2 + 1)£0 points (Aj), on £ and one evaluates 
all functions in the above basis at all these points. A linear algebra calculation produces a basis 
for the subspace of /^((di + £§) £^ 2 ((d 2 + 1)0 2 ) consisting of functions that vanish 

along Q. For every function <p in the later subspace, the divisor of zeroes of <p contains Q and the 
difference ((f)) — Q is an effective divisor in the linear equivalence class of H. 

We have thus constructed a complete linear equivalence class inside c. To find the other linear 
classes in c, we remind that E x E is isomorphic to its Picard variety. So it suffices to replace H 
in the above calculation by H + E\ x Z 2 — E\ x 2 + Z\ x E 2 — 0\ x E 2 where Z\ and Z 2 run 
over E x (¥ p ) and E 2 (¥ p ) respectively. 

11 Experiments 

In this section, we give a practical example of the geometric construction of section [TOj We 
perform a discrete logarithm computation in F 61 i9. In such a field, Joux and Lercier algorithm 
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would handle a factor basis of irreducible polynomials of degree 2 over F 6 i, in two variables. 
Such a factor basis would have about 3600 elements. It turns out that in this case we can reduce 
the factor basis to only 198 elements using the ideas given in the previous section. 



Initialization phase. We set p = 61 and consider the plane projective elliptic curve E over 
F p with equation Y 2 Z = X 3 + 20XZ 2 + 21Z 3 . It is ordinary with trace t = -14. The ring 
generated by the Frobenius has discriminant —48. The full endomorphism ring of E is the 
maximal order in the field Q(y/— 3). 

Let (3 be the degree 3 endomorphism of E given by 

(3: E -> E, 

(rr ■ n, • "h ^ 20a 3 +36a 2 +35x+40 . 58 :r 3 +59 x 2 +12 x+2\ . i \ 

(x.y.lj h-> ( . y . ij. 

We check /3 2 = —3 and we fix an isomorphism between End(E) ® Q and Q(a/— 3) C C by 
setting (3 = ^/— 3. The Frobenius endomorphism is = — 7 + 2^/— 3. 

Let ct be the degree 4 endomorphism defined bya = l + (3=l + \/— 3. It can be given 
explicitly by 

a : E ^ E, 

/ i \ / 49 a 4 +28 a: 3 +55 a: 2 +53 z+27 . 38 x 5 +37 x 4 +30 x a +49 x 2 +9 rr+46 . i \ 

(X . {/ . i; V ( ;E+ 25)(x+27) ;i ■ g {x+2bf{x+27f * L > * 

The endomorphism 7 = 1 — /3a has degree 19 and divides — 1. The kernel of 7 consists of 
the following 19 rational points, 

Kcr/ = {(0:1: 0), (11 : ±13 : 1), (14 : ±19 : 1), (21 : ±8 : 1), (35 : ±15 : 1), 

(40 : ±10 : 1), (41 : ±10 : 1), (45 : ±27 : 1), (48 : ±2 : 1), (51 : ±23 : 1)} . 

Let S = E x E. We call E 1 — E the first factor and E 2 = E the second one. If P and Q are 
independent generic points on E, then (P, Q) is a generic point on S. Let a on E be the point 
with coordinates (52 : 24 : 1). Let A C S be the curve with equation a(P) — Q = a. Let b on E 
be the point with coordinates (1 : 46 : 1). Let B C S be the curve with equation P — f3(Q) = b. 
The numerical class of A is (4, 1,1 + v^3) and the numerical class of B is (1, 3, — V— 3)- Note 
that b — f3(a) = (57 : 11 : 1) is of order 38 and generates E(¥ p ) modulo the image of 7. 

Call X the intersection A (IB. It consists of points (P,Q) such that (1 — (3a) (P) = b — (3(a), 
Q = a(P) — a and thus (a(3 — l)(Q) = a — a(b). In terms of the affine coordinates (xi : yi) of 
P and (x 2 , IJ2) of Q, this reads 

_ (44 x 2 4 + 12 x 2 3 + 9 x 2 2 + 46 x 2 + 40) y 2 
Xl ~ x 2 e + 34 X2 5 + 41 X2 4 + 47 X2 3 + 7 x 2 2 + 14 a; 2 + 58 + 

x 2 6 + 26 a; 2 5 + 25 x 2 3 + 41 a; 2 2 + 19 x 2 + 6 

(6) 



x 2 e + 34 .t 2 5 + 41 x 2 4 + 47 a; 2 3 + 7 a; 2 2 + 14 x 2 + 58 ' 

11 X2 7 + 2x 2 6 + 50 x 2 5 + 59 x 2 4 + 57 x 2 3 + 30 x 2 2 + 4x 2 + 14) y 2 

A x 2 8 + 7 x 2 7 + 32 x 2 6 + 56 x 2 b + 48 a; 2 4 + 26 x 2 3 + 49 x 2 2 + 18 x 2 + 41 + 

46 a; 2 9 + 54 x 2 8 + 2 Z2 7 + 4 x 2 6 + 52 x 2 5 + 17 z 2 4 + 60 x 2 3 + 41 x 2 2 + 48 x 2 + 21 
x 2 9 + 5lx 2 8 + 7x 2 7 + 32 x 2 6 + 56 x 2 5 + 48 x 2 4 + 26 x 2 3 + 49 x 2 2 + 18x 2 + 41 ' 



(7) 
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or alternatively, x 2 , 2/2 can be given as functions of degree 8 and degree 12 in x\, y±. 

The projection of X on E\ (resp. E 2 ) yields a place V (resp. Q) of degree 19 defined in the 
affine coordinates (x, y) by the equations 

V = (xi 19 + 60a;i 18 + 25xi 17 + 21xi 16 + 23a;i 15 + 22xi 14 + 49xi 13 + 38a;i 12 +30X1 11 +57xi 10 + 
3x! 9 + 15X! 8 + 26xi 7 + 17xi 6 + 45xi 5 + 30a;i 4 + 48xi 3 + 55xi 2 + 18 an +35, 
yi + 12xi 18 + 38xi 17 + 5xi 16 +xi 15 +45a;i 14 + 42xi 13 + 18 x x 12 + 34 x x n + 39 xi 10 + 

59 xi 9 + 16 xi 8 + 18 xi 7 + 16xi 6 + 36a;i 5 + 11 x^ + 9 an 3 + 48 xi 2 + 59 x x + 8) , 

Q = (x 2 19 + 25 x 2 18 + 34 x 2 17 + 46 x 2 16 + 16 x 2 15 + 14 x 2 14 + 58 a; 2 13 + 52 x 2 12 + 39 x 2 n + 48 a: 2 10 4- 
18 x 2 9 + 56 x 2 8 + 41 x 2 7 + 40 x 2 6 + 11 x 2 b + 33 x 2 A + 55 x 2 3 + 14 x 2 2 + 5 x 2 + 56, 
y 2 + 42 x 2 ls + 40 a; 2 17 + 23 x 2 16 + 41 x 2 15 + 14 a; 2 14 + 12 x 2 13 + 30 x 2 12 + 50 x 2 xl + 33 x 2 10 + 

33 x 2 9 + 60 x 2 8 + 15 x 2 7 + 54 x 2 6 + 13 x 2 5 + 17 x 2 A + 31 x 2 3 + 50 x 2 2 + 52 x 2 + 3) . 

The residue fields of these two places are isomorphic (both being degree 19 extensions of F 6 i). 
We fix an isomorphism between these two residue fields by setting 

x 2 ^ 2 a;! 18 + 57 xi 17 + 21 Xl 16 + 10 Xl 15 + 54 Xl 14 + 35 Xl 13 + 45 x x 12 + 27 Xl n + 41xi 10 + 

55 xi 9 + 27 xi 8 + 36 Xl 7 + 29 Xl 6 + 50 Xl 5 + 44 Xl 4 + 18 x x 3 + 38 x x 2 + 51 x t + 18 . (8) 

Fixing this isomorphism is equivalent to choosing a geometric point in 1. 

Sieving phase. We are now going to look for "smooth" functions on S. We first explain what 
we mean by smooth in this context. Let e(xi, y%, 2/2) be a function on S. We assume e 
does not vanish at X. Let 111 : S = E\ x E 2 — ► E\ be the projection on the first factor. The 
restriction of Yi\ to A is a bijection. So we can define a point on A by its coordinates (x\, y\). 
Let il 2 : S = Ei x E 2 — >• £? 2 be the projection on the second factor. The restriction of il 2 to B 
is a bijection. So we can define a point on B by its coordinates (x 2 , y 2 ). 

Let £1(0:1, yi) (resp. e 2 (x 2 , y 2 )) be the restriction of e to ^4 (resp. B). For example e 2 (x 2 , y 2 ) 
is obtained by substituting x\, y\ as functions in x 2 , y 2 in £ thanks to Eq. © and Eq. ©. 

The function £ is said to be smooth if the divisors of £1 and £ 2 both contain only places of 
small degree k. In our example, we choose k — 2. Let us remark at this point that thanks to the 
isomorphism given by Eq. ([8]), the reduction modulo V of £1 is equal to the reduction modulo Q 
of £ 2 , and this yields an equality in F 61 i9. 

To every non-zero function on S, one can associate a linear pencil of divisors. We define the 
linear (resp. numerical) class of the function to be the linear (resp. numerical) class of the divisor 
of its zeroes (or poles). 

We shall be firstly interested in functions e with numerical class (1, 0, 0). An effective divisor 
in these classes is c x E 2 where c is a place of degree 1 on E\ and it is not difficult to see that the 
intersection degrees of such a divisor with A and B are 1 and 3. Functions with numerical class 
(2, 0, 0) are obtained in the same way. 

We found similarly functions e in the class (0, 1,0), derived from divisors E 1 x c. The 
intersection degrees are now 4 and 1. Functions with numerical class (0, 2, 0) are obtained in 



18 



the same way too. More interesting, the class (1,1,1) containing the divisors with equation 
P = Q + c, yields intersection degrees 3 and 4. 

We finally consider the class (2, 2, 1) which is, by far, much larger than the previous classes. 
The intersection degrees are 8 and 8. To enumerate functions in this class, we first build a basis 
for the linear space associated to divisors of degree 3 on both E\ and E 2 . For instance, let us 
consider C El {2> 0\) and £e 2 (3 2 ), basis of which are given by {1, xi, yi} and {1, x 2 , 1/2}- We 
then determinate that a basis for the subspace of £^(3 0\) ® £_e 2 (3 2 ), consisting of functions 
that vanish along the graph Q = {(P, Q), Q = -P}, is given by {y 1 x 2 + x t y 2 , 2/1 + 2/2, x 1 -x 2 }. 
An exhaustive enumeration of functions of the form y 1 x 2 + x\ y 2 + X(y\ + y 2 ) + fi(x\ — x 2 ), 
with \, fi e¥ p yields useful equations. 

We give examples of such relations in Tab. [TJ 

Linear algebra phase. With our smoothness choice, the factor basis is derived from places 
of degree one and two. Since we prefer functions to divisors, the factor basis will contain the 
reduction modulo V, resp. Q, of functions the divisors of which are equal to 76(xi + a, y\ + 
(3) — 76(l/xi, yi/x\), resp. 76(x 2 + a,y 2 + (3) — 7Q(l/x 2l y 2 /x 2 ) (remember that in our example 
#E(W p ) = 76). In this setting, the evaluation at V or Q of any smooth function can be easily 
written as a product of elements of the factor basis. 

It is worth recalling that the action of the Frobenius on the reduction of a function modulo V 
or Q is equal to the reduction of a function, the poles and the zeros of which are translated by one 
specific point of Ker 1. In our example, this point is Fi = (11 : 48 : 1) for the reduction modulo 
V and F 2 = (45 : 34 : 1) for the reduction modulo Q. For instance, let us consider a function 
g the divisor of which is equal to 76(xi + 41, yi + 8) — 76(l/xi, yi/xf). Let us now consider a 
function g 6 which corresponds to (—41 : —8 : 1) + 6F1, that is a function with divisor equal to 

76(xi + 45, yi + 17) — 76(l/xi, yi/x\). We have then ^ = c.^f 6 f 1+p+p +p +p +p for some c G 
F p , where / is a function the divisor of which is equal to 76 Fi — 76(l/a;i, y\/x\). 

Thanks to this observation, we can thus divide by 19 the size of the factor basis, at the expense 
in the linear algebra phase of entries equal to sums of powers of p. We finally have 4 meaningful 
places of degree 1 and 92 meaningful places of degree 2 on each side, that is a total of 196 entries 
in our factor basis. Of course, under the Galois conjugations, most of the relations obtained in 
the sieving phase are redundant, but it does not really matter since it is not difficult to reduce the 
sieving phase to the only meaningful relations. 

We have 

61 19 - 1 = 2 2 • 3 • 5 • 229 • 607127818287731321660577427051. 

We performed the linear algebra modulo the largest factor of 61 19 — 1, that is the 99-bit integer 
607127818287731321660577427051. This gives us the discrete logarithm in basis / mod X of 
any element in the smoothness basis. For instance, if g is any function such that div g = 76 (x\ + 

37 + 54,yi + 41 £1 + 16) - 152(1/^1, yx/x\), we find that 

„2 2 -3-5-229 _ / j-2 2 -3-5-229\471821537021905592692223848756 
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Class div e\ 

(1,0,0) (xi + 43, j/i + 33) - (x x + 13, 2/1 



div £2 



-59) (x 2 : +X2 + 52,2/2 + 10x 2 + 37) + (x2 + 12,2/2 + 

35) - (x 2 + 2, 2/2 + 20) - (jc| + 26 x 2 + 39, y 2 + 
5x2 + 27) 



(2,0,0) (xf + 56xi + 34,j/i 
13,?yi + 59) 



(x| + 37x 2 + 53, 2/2 + 42 x 2 + 58) + (x^ + 12x 2 + 
19, 2/2 + 52 x 2 + 43) + (x\ + 41 x 2 + 29, y 2 + 
33x 2 + 41)-2 (x 2 + 2,2/2 + 20)-2 (x^ + 26x 2 + 
39,2/2 + 5x2 + 27) 



22xi + 52) - 2(xi + 



(0,1,0) (x^ +4xi + 12, j/i + 55xi +47) + (x^ +45xi + 
31,2/i + 19 xi + 23) - (xi + 42, 2/1 + 60) - (xi + 
36, 2/1 + 15) - (xf + 60 xi + 25, j/i + 36 x x + 26) 



(x 2 + 43, 2/2 + 33) - (x 2 + 13, y 2 + 59) 



(0,2,0) (x^ + 26 xi + 12, 2/1 + 12 xi + 32) + (x^ + 48xi + 
6, 2/1 + 59) + {x\ + 53 xi + 56, 2/1 + 42 xi + 56) + 
{xl+3 xi+38, 2/i + 17xi+36)-2 (xi+42, 2/1 + 
60) - 2 (xi + 36, 2/1 + 15) - 2 (xf + 60 xi + 
25,2/i + 36xi + 26) 

(1,1,1) (xi+2,2/i + 41) + (x^ + 26xi + 39,2/i + 56xi + 
34) -(x? + 48xi + 6, 2/1 + 2) -(xi + 52, 2/1 + 25) 



[x{ + 24x 2 
13,2/2 + 59) 



39,2/2 + 37x 2 + 27) - 2 (x 2 + 



17, 2/2 + 21) + (x^ + 57x 2 + 11,2/2 + 
+ (x 2 + 55,2/2 + 33) - (x\ + 49x 2 + 

4- 9fi1 - (+? -A- 3 t„+4 ?m -I- %(\ To -I- 20) 



(xf + 25 xi + 42, 2/1 + 5 xi + 13) + (x'{ + 30 x x 
19, 2/1 + 52 xi + 42) + (xf + 59 xi + 30, yi + 8,2/2 + 54 x 2 + 
28xi + 22)-2(xf + 48xi + 6,2/i + 2)-2 (xi + 
52,2/1 + 25) 



{X2 + 

33 x 2 ) 

42 2/2 + 26) - (x| + 3 x 2 + 4, 2/2 + 30 x 2 

(x^ + 30x 2 + 21, 2/2 + 50 X2 + 52) + (x^ + 41x 2 + 
s -l */i ~„ -i_ ^ _l ^2 ^ 32 X2 + 20,2/2 + 



(2,2,2) 



(2,2,1) 



58) + ix\ 
2 



(xi+24, 2/i+33) + (xi+25, 2/i) + (xi+35, 2/1) + 
(xi +60, 2/1 + 46) + (xf + 33xi + 43,2/i + 3xi + 
34) + (xf + 53 xi + 53, 2/1 + 24 xi + 33) - (x : + 
l,2/i)-(xi+54,2/i+4)-(x? + 17xi + 19,2/i + 
41 xi + 21) - (xf + 51 xi + 53, 2/1 + 44 xi + 
31) - (xf + 55 xi + 38, 2/1 + 38 xi + 58) 



34x 2 + 28) + (x\ + 42x 2 + 49, 2/2 + 29x 2 + 
51) - 2{x% + 49x 2 + 42,2/2 + 26) - 2 {x\ + 

3x2 + 4,2/2 + 30x2 + 20) 

(x 2 + 3,2/2 + 42) + (xl + 7x 2 + 20,2/2 + 33x2 + 
46) + {x\ + 38 x 2 + 12, 2/2 + 58 x 2 + 6) + {x\ + 
42 x 2 + 35, 2/2 + 7 x 2 + 41) - (x 2 + 1,2/2)- 



(x 2 
26x 2 

5,2/2 + 7x 2 
(x 2 + 29,2/2 



— 1^2 T J-, </2/ ' 

11, 2/2 + 42) - (x 2 + 16, 2/2 + 34) - [x% f 
12,2/2 + 49x 2 + 29) - (x| + 47 x 2 + 



14) 

_ - . 60) + (x 2 + 36, 2/2 + 15) + {xi + 
15 X2+58, 2/2+41 x 2 +39) + (x^+23x 2 +2, ?/ 2 + 
33 x 2 + 7) + {x\ + 44 x 2 + 33, 2/2 + 35 x 2 + 28) - 

(X 2 + 1, 2/2) -(X 2 + 11, 2/2 + 42) -(X 2 + 16,2/2 + 

34) - (x 2 + 50, 2/2 + 13) - (x^ + 26 x 2 + 12, 2/2 + 
49x2 + 29) - (x| + 47x 2 + 5,2/2 + 7x + 14) 



(2, 2, 1) (xi + 10, 2/1 + 23) + (xi + 20, 2/1 + Xi + 30) + 
(xi + 29, 2/1 + 1) + (xi + 41, 2/1 + xi + 33) + 
(x? + 6xi + 17,j/i + 25xi + 16) + (x? + 25xi + 
12, 2/1+25 xi+47)-(xi + l, 2/1)- (xi + 54, 2/1 + 
4) - (xf + 17 xi + 19, 2/1 + 41 xi + 21) - (xf + 



51 xi + 53,2/i + 44xi 
38,2/i + 38xi + 58) 



31) 



55 xi 



Table 1 : Some relations collected in the sieving phase. 
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12 Generalization and limitations 



The construction in section [10] can and should be generalized. 

Let E be again an ordinary elliptic curve over ¥ p and let i be an invertible ideal in the endo- 
morphism ring End(E). We assume that i divides 0—1 and End(E)/i is cyclic of order d > 2. 
Let F be the quotient of E by the kernel T of i and / : E — > F the quotient isogeny. 

The integer d belongs to the ideal i. Let u and v be two elements in i such that d = u + v 
and (u) = ioibi and (v) = 10262 where di, bi, 02, 62 are invertible ideals in End(E). We 
deduce the existence of two elliptic curves E\ and E 2 and four isogenics a x , @ lf a 2 , (3 2 , such that 
Pioti + f3 2 a 2 = I. 

We represent all these isogenics on the (non commutative) diagram below. 



We set S = Ei x E 2 . As for A we choose the image of (ai, a 2 ) : E — > S. And B is the 
inverse image of / by (3i + (3 2 : S — > F where / generates the quotient F(¥ p )/I(E(¥ p )). The 
intersection of ^4 and £> is the image by a 2 ) of I~ 1 (f) C £7. We choose w and v such that 
tti, bi, a 2 , and b 2 , have norms close to the square root of d. 

This construction is useful when the norm of i is much smaller than the norm of — 1. 
So we managed to construct Galois invariant smoothness basis for a range of finite fields. Our 
constructions go beyond the classical Kummer case. They are efficient when the degree d is 
either below or in the interval )q + 1 — 2y/q, q + 1 + 2y / g[. 
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